Guest Wowbagger Posted June 26, 2008 Posted June 26, 2008 In the building there is one physical network and one Windows (2000?) server that serves up DHCP assignments, handles the gateway and so forth. For most people in the building they use this domain and all is well. There is another group of people in the building with their own 2003 server. Aside from the physical wiring, DHCP and gateway they have absolutely nothing to do with the domain that everybody else uses. The few exceptions above aside, there is absolutely zero resource sharing between this group and the existing domain. They would like to set up their own domain, active directory, sharepoint and other services. The 2003 server is already configured to provide DNS services to people within the group, but AD can't be installed until the box is promo'ed to a domain controller. Will having two domain controllers on the same network pose any problems as long as all of the users on the local network using the new domain (on the 2003 box) perform DNS queries on the 2003 box first?
Guest Phillip Windell Posted June 26, 2008 Posted June 26, 2008 Re: One network, two domains It would be fine apart from the fact that the DNS requirements would be different so you could not fully use DHCP for the second Domain. You would have to use static addressing or you would have to remove DNS from the *all* Scopes and assing DNS manually for everybody. If you look in the TCP/IP Config of any Windows machine you can see that you can use DHCP but still statically assign DNS. But personally I'd only want to "mess" with static settings on one domain rather than every single machine plus the modification to the Scopes. So I would leave the first Domain alone and not mess with it, then statically assign the TCP/IP specs of the clients of the second domain. Better yet,...I would probably create a second IP Segment (it ain't hard to do) for the second domain and avoid the whole mess. Buy a Layer3 Switch,...split the switch ports down the middle with a pair of VLANs, move the patch cables to the correct "side" of ports to be in the correct segment,...and go with it. Hang additional Layer2 switches off of the correct VLAN'ed group of ports to extend if you need more ports. The Switch/Router won't require any additional routing at this point and it will certainly be *handy* to have to make future routing decisions in one central location as your needs change. The Firewall Device will need a Static Route added to it to tell it to use the Layer3 Switch (the LAN Router) as the path to get to the opposite subnet. This Layer3 Switch/Router setup will also give you the extremely simple means of access control between the two Segments/Domain using ACLs on the router,...this is probably something else you will want to do in the future. Always think of the future,..always take advantage of reasons to buy new equipment to better the network design, those opportunities may not happen often,..and this could be one of those justifyable reasons to buy the Layer3 Switch/Router. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Wowbagger" <Wowbagger~~> wrote in message news:%23VNSos71IHA.1768@TK2MSFTNGP03.phx.gbl... > In the building there is one physical network and one Windows (2000?) > server that serves up DHCP assignments, handles the gateway and so forth. > For most people in the building they use this domain and all is well. > > There is another group of people in the building with their own 2003 > server. Aside from the physical wiring, DHCP and gateway they have > absolutely nothing to do with the domain that everybody else uses. The > few exceptions above aside, there is absolutely zero resource sharing > between this group and the existing domain. > > They would like to set up their own domain, active directory, sharepoint > and other services. The 2003 server is already configured to provide DNS > services to people within the group, but AD can't be installed until the > box is promo'ed to a domain controller. > > Will having two domain controllers on the same network pose any problems > as long as all of the users on the local network using the new domain (on > the 2003 box) perform DNS queries on the 2003 box first? > >
Guest Wowbagger Posted June 26, 2008 Posted June 26, 2008 Re: One network, two domains "Phillip Windell" <philwindell@hotmail.com> wrote in message news:%23QR8l671IHA.5512@TK2MSFTNGP06.phx.gbl... > It would be fine apart from the fact that the DNS requirements would be > different so you could not fully use DHCP for the second Domain. You would > have to use static addressing or you would have to remove DNS from the > *all* Scopes and assing DNS manually for everybody. This won't be a problem - there's only a dozen machines or so that I'll have to mess with. > But personally I'd only want to "mess" with static settings on one domain > rather than every single machine plus the modification to the Scopes. So > I would leave the first Domain alone and not mess with it, then statically > assign the TCP/IP specs of the clients of the second domain. Don't even have a choice about that one - the first domain is 100% out of my control. Can't do a thing with it. > Better yet,...I would probably create a second IP Segment (it ain't hard > to do) for the second domain and avoid the whole mess. Not hard to do, and if I had any kind of power over the networking of the building then I'd get a gig-e switch for my group and start to upgrade the machines to the faster NICs as needed. When I find a gig-e switch on sale for $150 or so I'll probably pull the trigger on that, but don't expect to see those prices for another 18 months or so. The gig-nics are showing up on sale for $20 once in a great while so prices are still slowly coming down.
Guest Bill Grant Posted June 26, 2008 Posted June 26, 2008 Re: One network, two domains "Wowbagger" <Wowbagger~~> wrote in message news:OUd0eP81IHA.2064@TK2MSFTNGP05.phx.gbl... > "Phillip Windell" <philwindell@hotmail.com> wrote in message > news:%23QR8l671IHA.5512@TK2MSFTNGP06.phx.gbl... > >> It would be fine apart from the fact that the DNS requirements would be >> different so you could not fully use DHCP for the second Domain. You >> would have to use static addressing or you would have to remove DNS from >> the *all* Scopes and assing DNS manually for everybody. > > This won't be a problem - there's only a dozen machines or so that I'll > have to mess with. > >> But personally I'd only want to "mess" with static settings on one domain >> rather than every single machine plus the modification to the Scopes. So >> I would leave the first Domain alone and not mess with it, then >> statically assign the TCP/IP specs of the clients of the second domain. > > Don't even have a choice about that one - the first domain is 100% out of > my control. Can't do a thing with it. > >> Better yet,...I would probably create a second IP Segment (it ain't hard >> to do) for the second domain and avoid the whole mess. > > Not hard to do, and if I had any kind of power over the networking of the > building then I'd get a gig-e switch for my group and start to upgrade the > machines to the faster NICs as needed. When I find a gig-e switch on sale > for $150 or so I'll probably pull the trigger on that, but don't expect to > see those prices for another 18 months or so. The gig-nics are showing up > on sale for $20 once in a great while so prices are still slowly coming > down. > > If you are stuck with running both domains on the same segment, it is definitely possible as Phillip outlined. You can't run DHCP for the second domain so you will need to configure them all manually and set them to use the correct DNS server and gateway. You will also need to make sure that you do not duplicate any IP addresses which DHCP might hand out. Can you get the sysadmin of the first domain to reserve a block of IPs in the DHCP scope?
Guest Phillip Windell Posted June 27, 2008 Posted June 27, 2008 Re: One network, two domains "Wowbagger" <Wowbagger~~> wrote in message news:OUd0eP81IHA.2064@TK2MSFTNGP05.phx.gbl... > Not hard to do, and if I had any kind of power over the networking of the > building then I'd get a gig-e switch for my group and start to upgrade the > machines to the faster NICs as needed. When I find a gig-e switch on sale > for $150 or so I'll probably pull the trigger on that, but don't expect to > see those prices for another 18 months or so. The gig-nics are showing up > on sale for $20 once in a great while so prices are still slowly coming > down. I think you misunderstand what I mean by a Layer3 Switch. 1. It doesn't have anything to do with Gigabit. 2. Most I have seen are 10/100 but 10/100/1000 are getting more popular. 3. $20 might buy the power cord to a Layer3 Switch. The cheaper ones might be around $500 (guessing) with up in the 1,000's for better ones. We have about $15,000.00 wrapped up in ours that uses a Chassis/Module design. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Wowbagger Posted June 28, 2008 Posted June 28, 2008 Re: One network, two domains "Bill Grant" <not.available@online> wrote in message news:ehtQvi% > Can you get the sysadmin of the first domain to reserve a block of IPs in > the DHCP scope? Unfortunately, no. I'm 100% on my own with this. Some day I'll be able to physically separate the two - a switch plus a NAT to bridge between my segment and everybody else would probably do the trick.
Guest Wowbagger Posted June 28, 2008 Posted June 28, 2008 Re: One network, two domains "Phillip Windell" <philwindell@hotmail.com> wrote in message news:Owbb8sF2IHA.4004@TK2MSFTNGP03.phx.gbl... > I think you misunderstand what I mean by a Layer3 Switch. Expensive, especially when I can get a 24 port layer 2 10/100/1000 for $180 + $50 for a NAT router to bridge between my segment and the rest of the building.
Guest Bill Grant Posted June 28, 2008 Posted June 28, 2008 Re: One network, two domains "Wowbagger" <Wowbagger~~> wrote in message news:#VnrHYM2IHA.416@TK2MSFTNGP04.phx.gbl... > "Bill Grant" <not.available@online> wrote in message news:ehtQvi% > >> Can you get the sysadmin of the first domain to reserve a block of IPs >> in the DHCP scope? > > Unfortunately, no. I'm 100% on my own with this. Some day I'll be able > to physically separate the two - a switch plus a NAT to bridge between my > segment and everybody else would probably do the trick. > > Yes, that would do it. It is possible to run your own "logical" network in its own IP subnet on the same wire and use NAT. You would use one of your machines (not the DC) as a NAT router between your network and the existing network. eg Gateway router 192.168.1.254 | Domain 1 192.168.1.x dg 192.168.1.254 config from DHCP | 192.168.1.253 dg 192.168.1.254 NAT 192.168.31.254 dg blank | Domain 2 192.168.31.x dg 192.168.31.254 manual config All machines are connected to the same switch, but are logically separate networks because they are in different IP subnets. Domain 2 machines can reach the Internet via NAT and the gateway router, but Domain 1 cannot see Domain 2 machines because NAT only routes one way. You only need one IP from the parent network for the "public" IP of your NAT router.
Guest Phillip Windell Posted July 1, 2008 Posted July 1, 2008 Re: One network, two domains That would work,...but,... 1. Running NAT in the middle of a LAN isn't such a great idea in general. It should be normal routing (no NAT) with maybe possibly ACLs on the LAN Router. 2. You are talking about "home user" equipment that has less capability/flexability and has a high hardware failure rate compared to commercial equipment. The old saying, "You get what you pay for" is still true. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Wowbagger" <Wowbagger~~> wrote in message news:eM6ecdM2IHA.4476@TK2MSFTNGP06.phx.gbl... > "Phillip Windell" <philwindell@hotmail.com> wrote in message > news:Owbb8sF2IHA.4004@TK2MSFTNGP03.phx.gbl... > >> I think you misunderstand what I mean by a Layer3 Switch. > > Expensive, especially when I can get a 24 port layer 2 10/100/1000 for > $180 + $50 for a NAT router to bridge between my segment and the rest of > the building. > >
Recommended Posts